Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 15:54
Behavioral task
behavioral1
Sample
2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b7320ad651a87776f1ab8f515a98f465
-
SHA1
1332ed8e965defa1f7820110b71571544418d70b
-
SHA256
2ce5ebfbde3351433e28dd5a8385785eca67a35cd0057197db4c03876119ac03
-
SHA512
1af457976efbb56bcb01465a8506f7559dd8d3fecb0d6d58668c2c221efa8f9fa4660186d8bebdeba03b0dca9b308ecd43f4824746d91a678f4b8a3f3cd3270d
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibd56utgpPFotBER/mQ32lUe
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023b7a-5.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7f-16.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b80-22.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b81-28.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7e-12.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b82-35.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b83-40.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b85-58.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b86-68.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b84-62.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b7b-52.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b87-75.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b89-82.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8a-91.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8b-94.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8c-101.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8d-109.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b90-129.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b91-139.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8f-133.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8e-130.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/892-17-0x00007FF652920000-0x00007FF652C71000-memory.dmp xmrig behavioral2/memory/892-66-0x00007FF652920000-0x00007FF652C71000-memory.dmp xmrig behavioral2/memory/1200-67-0x00007FF624C20000-0x00007FF624F71000-memory.dmp xmrig behavioral2/memory/3456-55-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp xmrig behavioral2/memory/4480-54-0x00007FF796330000-0x00007FF796681000-memory.dmp xmrig behavioral2/memory/1576-72-0x00007FF673510000-0x00007FF673861000-memory.dmp xmrig behavioral2/memory/1868-81-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp xmrig behavioral2/memory/2284-97-0x00007FF750C10000-0x00007FF750F61000-memory.dmp xmrig behavioral2/memory/4264-104-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp xmrig behavioral2/memory/1628-120-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp xmrig behavioral2/memory/3016-137-0x00007FF603290000-0x00007FF6035E1000-memory.dmp xmrig behavioral2/memory/2912-96-0x00007FF663E20000-0x00007FF664171000-memory.dmp xmrig behavioral2/memory/3460-83-0x00007FF604900000-0x00007FF604C51000-memory.dmp xmrig behavioral2/memory/844-76-0x00007FF670620000-0x00007FF670971000-memory.dmp xmrig behavioral2/memory/464-152-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp xmrig behavioral2/memory/2200-154-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp xmrig behavioral2/memory/2312-164-0x00007FF708F20000-0x00007FF709271000-memory.dmp xmrig behavioral2/memory/4480-155-0x00007FF796330000-0x00007FF796681000-memory.dmp xmrig behavioral2/memory/1792-167-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp xmrig behavioral2/memory/3688-166-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp xmrig behavioral2/memory/1116-165-0x00007FF7954C0000-0x00007FF795811000-memory.dmp xmrig behavioral2/memory/2176-163-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp xmrig behavioral2/memory/3888-162-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp xmrig behavioral2/memory/3908-161-0x00007FF781830000-0x00007FF781B81000-memory.dmp xmrig behavioral2/memory/4480-179-0x00007FF796330000-0x00007FF796681000-memory.dmp xmrig behavioral2/memory/3456-215-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp xmrig behavioral2/memory/892-217-0x00007FF652920000-0x00007FF652C71000-memory.dmp xmrig behavioral2/memory/1576-219-0x00007FF673510000-0x00007FF673861000-memory.dmp xmrig behavioral2/memory/844-221-0x00007FF670620000-0x00007FF670971000-memory.dmp xmrig behavioral2/memory/1868-223-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp xmrig behavioral2/memory/2912-227-0x00007FF663E20000-0x00007FF664171000-memory.dmp xmrig behavioral2/memory/2284-233-0x00007FF750C10000-0x00007FF750F61000-memory.dmp xmrig behavioral2/memory/1200-236-0x00007FF624C20000-0x00007FF624F71000-memory.dmp xmrig behavioral2/memory/4264-237-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp xmrig behavioral2/memory/1628-239-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp xmrig behavioral2/memory/3016-241-0x00007FF603290000-0x00007FF6035E1000-memory.dmp xmrig behavioral2/memory/3460-249-0x00007FF604900000-0x00007FF604C51000-memory.dmp xmrig behavioral2/memory/464-251-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp xmrig behavioral2/memory/2200-253-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp xmrig behavioral2/memory/3908-255-0x00007FF781830000-0x00007FF781B81000-memory.dmp xmrig behavioral2/memory/3888-261-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp xmrig behavioral2/memory/2176-263-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp xmrig behavioral2/memory/2312-265-0x00007FF708F20000-0x00007FF709271000-memory.dmp xmrig behavioral2/memory/1116-267-0x00007FF7954C0000-0x00007FF795811000-memory.dmp xmrig behavioral2/memory/1792-269-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp xmrig behavioral2/memory/3688-271-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3456 jeeKNAe.exe 892 GJtzZct.exe 1576 zsvZXhS.exe 844 qByjvmM.exe 1868 HRFefzB.exe 2912 LTEcIwE.exe 2284 cqYZSrg.exe 4264 QEImdxU.exe 1628 dTsiWzU.exe 1200 SzmabeS.exe 3016 fkTWcsh.exe 3460 UjuZksc.exe 464 dIHoUeN.exe 2200 erZVkWp.exe 3908 zazXphj.exe 3888 emDsXog.exe 2176 RMnQifx.exe 2312 fpzeSPb.exe 1116 dFablLy.exe 3688 XGwbNwe.exe 1792 pCCcCse.exe -
resource yara_rule behavioral2/memory/4480-0-0x00007FF796330000-0x00007FF796681000-memory.dmp upx behavioral2/files/0x000b000000023b7a-5.dat upx behavioral2/files/0x000a000000023b7f-16.dat upx behavioral2/files/0x000a000000023b80-22.dat upx behavioral2/files/0x000a000000023b81-28.dat upx behavioral2/memory/1868-30-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp upx behavioral2/memory/844-23-0x00007FF670620000-0x00007FF670971000-memory.dmp upx behavioral2/memory/1576-18-0x00007FF673510000-0x00007FF673861000-memory.dmp upx behavioral2/memory/892-17-0x00007FF652920000-0x00007FF652C71000-memory.dmp upx behavioral2/files/0x000a000000023b7e-12.dat upx behavioral2/memory/3456-10-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp upx behavioral2/files/0x000a000000023b82-35.dat upx behavioral2/memory/2912-36-0x00007FF663E20000-0x00007FF664171000-memory.dmp upx behavioral2/files/0x000a000000023b83-40.dat upx behavioral2/memory/2284-42-0x00007FF750C10000-0x00007FF750F61000-memory.dmp upx behavioral2/memory/4264-48-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp upx behavioral2/files/0x000a000000023b85-58.dat upx behavioral2/memory/1628-61-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp upx behavioral2/memory/892-66-0x00007FF652920000-0x00007FF652C71000-memory.dmp upx behavioral2/files/0x000a000000023b86-68.dat upx behavioral2/memory/3016-69-0x00007FF603290000-0x00007FF6035E1000-memory.dmp upx behavioral2/memory/1200-67-0x00007FF624C20000-0x00007FF624F71000-memory.dmp upx behavioral2/files/0x000a000000023b84-62.dat upx behavioral2/memory/3456-55-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp upx behavioral2/memory/4480-54-0x00007FF796330000-0x00007FF796681000-memory.dmp upx behavioral2/files/0x000b000000023b7b-52.dat upx behavioral2/memory/1576-72-0x00007FF673510000-0x00007FF673861000-memory.dmp upx behavioral2/files/0x000a000000023b87-75.dat upx behavioral2/files/0x000a000000023b89-82.dat upx behavioral2/memory/1868-81-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp upx behavioral2/files/0x000a000000023b8a-91.dat upx behavioral2/files/0x000a000000023b8b-94.dat upx behavioral2/memory/2284-97-0x00007FF750C10000-0x00007FF750F61000-memory.dmp upx behavioral2/files/0x000a000000023b8c-101.dat upx behavioral2/memory/4264-104-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp upx behavioral2/files/0x000a000000023b8d-109.dat upx behavioral2/memory/1628-120-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp upx behavioral2/memory/2312-124-0x00007FF708F20000-0x00007FF709271000-memory.dmp upx behavioral2/files/0x000a000000023b90-129.dat upx behavioral2/memory/1116-134-0x00007FF7954C0000-0x00007FF795811000-memory.dmp upx behavioral2/files/0x000a000000023b91-139.dat upx behavioral2/memory/1792-142-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp upx behavioral2/memory/3688-141-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp upx behavioral2/memory/3016-137-0x00007FF603290000-0x00007FF6035E1000-memory.dmp upx behavioral2/files/0x000a000000023b8f-133.dat upx behavioral2/files/0x000a000000023b8e-130.dat upx behavioral2/memory/2176-110-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp upx behavioral2/memory/3888-106-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp upx behavioral2/memory/3908-98-0x00007FF781830000-0x00007FF781B81000-memory.dmp upx behavioral2/memory/2912-96-0x00007FF663E20000-0x00007FF664171000-memory.dmp upx behavioral2/memory/2200-90-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp upx behavioral2/memory/464-84-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp upx behavioral2/memory/3460-83-0x00007FF604900000-0x00007FF604C51000-memory.dmp upx behavioral2/memory/844-76-0x00007FF670620000-0x00007FF670971000-memory.dmp upx behavioral2/memory/464-152-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp upx behavioral2/memory/2200-154-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp upx behavioral2/memory/2312-164-0x00007FF708F20000-0x00007FF709271000-memory.dmp upx behavioral2/memory/4480-155-0x00007FF796330000-0x00007FF796681000-memory.dmp upx behavioral2/memory/1792-167-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp upx behavioral2/memory/3688-166-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp upx behavioral2/memory/1116-165-0x00007FF7954C0000-0x00007FF795811000-memory.dmp upx behavioral2/memory/2176-163-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp upx behavioral2/memory/3888-162-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp upx behavioral2/memory/3908-161-0x00007FF781830000-0x00007FF781B81000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\fpzeSPb.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dFablLy.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jeeKNAe.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GJtzZct.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LTEcIwE.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\emDsXog.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RMnQifx.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qByjvmM.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QEImdxU.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dIHoUeN.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\erZVkWp.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UjuZksc.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zazXphj.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XGwbNwe.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pCCcCse.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zsvZXhS.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HRFefzB.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cqYZSrg.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SzmabeS.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dTsiWzU.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fkTWcsh.exe 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4480 wrote to memory of 3456 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 4480 wrote to memory of 3456 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 4480 wrote to memory of 892 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4480 wrote to memory of 892 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4480 wrote to memory of 1576 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4480 wrote to memory of 1576 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4480 wrote to memory of 844 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4480 wrote to memory of 844 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4480 wrote to memory of 1868 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4480 wrote to memory of 1868 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4480 wrote to memory of 2912 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4480 wrote to memory of 2912 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4480 wrote to memory of 2284 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4480 wrote to memory of 2284 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4480 wrote to memory of 4264 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4480 wrote to memory of 4264 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4480 wrote to memory of 1628 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4480 wrote to memory of 1628 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4480 wrote to memory of 1200 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4480 wrote to memory of 1200 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4480 wrote to memory of 3016 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4480 wrote to memory of 3016 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4480 wrote to memory of 3460 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4480 wrote to memory of 3460 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4480 wrote to memory of 464 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4480 wrote to memory of 464 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4480 wrote to memory of 2200 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4480 wrote to memory of 2200 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4480 wrote to memory of 3908 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4480 wrote to memory of 3908 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4480 wrote to memory of 3888 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4480 wrote to memory of 3888 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4480 wrote to memory of 2176 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4480 wrote to memory of 2176 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4480 wrote to memory of 2312 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4480 wrote to memory of 2312 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4480 wrote to memory of 1116 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4480 wrote to memory of 1116 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4480 wrote to memory of 3688 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4480 wrote to memory of 3688 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4480 wrote to memory of 1792 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4480 wrote to memory of 1792 4480 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\System\jeeKNAe.exeC:\Windows\System\jeeKNAe.exe2⤵
- Executes dropped EXE
PID:3456
-
-
C:\Windows\System\GJtzZct.exeC:\Windows\System\GJtzZct.exe2⤵
- Executes dropped EXE
PID:892
-
-
C:\Windows\System\zsvZXhS.exeC:\Windows\System\zsvZXhS.exe2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\System\qByjvmM.exeC:\Windows\System\qByjvmM.exe2⤵
- Executes dropped EXE
PID:844
-
-
C:\Windows\System\HRFefzB.exeC:\Windows\System\HRFefzB.exe2⤵
- Executes dropped EXE
PID:1868
-
-
C:\Windows\System\LTEcIwE.exeC:\Windows\System\LTEcIwE.exe2⤵
- Executes dropped EXE
PID:2912
-
-
C:\Windows\System\cqYZSrg.exeC:\Windows\System\cqYZSrg.exe2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\System\QEImdxU.exeC:\Windows\System\QEImdxU.exe2⤵
- Executes dropped EXE
PID:4264
-
-
C:\Windows\System\dTsiWzU.exeC:\Windows\System\dTsiWzU.exe2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Windows\System\SzmabeS.exeC:\Windows\System\SzmabeS.exe2⤵
- Executes dropped EXE
PID:1200
-
-
C:\Windows\System\fkTWcsh.exeC:\Windows\System\fkTWcsh.exe2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\System\UjuZksc.exeC:\Windows\System\UjuZksc.exe2⤵
- Executes dropped EXE
PID:3460
-
-
C:\Windows\System\dIHoUeN.exeC:\Windows\System\dIHoUeN.exe2⤵
- Executes dropped EXE
PID:464
-
-
C:\Windows\System\erZVkWp.exeC:\Windows\System\erZVkWp.exe2⤵
- Executes dropped EXE
PID:2200
-
-
C:\Windows\System\zazXphj.exeC:\Windows\System\zazXphj.exe2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Windows\System\emDsXog.exeC:\Windows\System\emDsXog.exe2⤵
- Executes dropped EXE
PID:3888
-
-
C:\Windows\System\RMnQifx.exeC:\Windows\System\RMnQifx.exe2⤵
- Executes dropped EXE
PID:2176
-
-
C:\Windows\System\fpzeSPb.exeC:\Windows\System\fpzeSPb.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\System\dFablLy.exeC:\Windows\System\dFablLy.exe2⤵
- Executes dropped EXE
PID:1116
-
-
C:\Windows\System\XGwbNwe.exeC:\Windows\System\XGwbNwe.exe2⤵
- Executes dropped EXE
PID:3688
-
-
C:\Windows\System\pCCcCse.exeC:\Windows\System\pCCcCse.exe2⤵
- Executes dropped EXE
PID:1792
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5effc0dbc74b21a4d8eed552d24d704fa
SHA1bb4b8fa60788fb689d7b41b34a1f5c68aa40ed3d
SHA256e8680bfffbb37874dfff19f76431806314cddaa0ccadf9cc53cecf4c1331114b
SHA512f764ecf9a1d82ae2a2efdd537a1924514e395a2d4f4661b68170cd94aeac6af97f7d4d0699995f118d4167e0c06b6f3ccd87bcf2599d55fa60aff4cff096873d
-
Filesize
5.2MB
MD54cb6b11f1ccd33ce7e6e27feec563838
SHA1c0094ff42973599caabdbe34072cbea49f03f188
SHA2568aa5bdfd7523f8ad90214e27fdeca9d031266d27cbd1e009f1d3f0723522a6f4
SHA512d699405f9ae85e26d931b7c80ebef2f2eac2dd87110b08baeb3b66bc32d24422d5fe0ad6910b3b091fa11dbab659e8e258c05aba8357baad4349e8d90636871b
-
Filesize
5.2MB
MD5fe507d945f44e00d9066f58603c6df8b
SHA1c5e202db738091df1e10211fa66c8b669ea1b0b5
SHA25625b96c3707f3eb38c76d5744aed0a2637b785b0798be746b5925d160f9fa58a9
SHA51221a97c8977adc241836c9059a62a885fe1a0667428df6311b1f2e6e67f603b2474042752885e4b41d333e38a8b1699481d7e97cbbfda97f29cc9290f60382f31
-
Filesize
5.2MB
MD5e97af8476c7d49be6ac8727dc8bad9da
SHA146c3c9a5502f8c50a39ead8ae0de7ec8f6072b70
SHA256b08818b6ce3b062b83de1abd3c08aa98c690d3cc1f04ac22dc24c465661a9cc7
SHA512657437d3ea4a2b8c9f828b06963f8d74fee6154cbee5048d4147456fe71e3d9cdf4f925eea31910d0571582d3f0c693860964c130f0745f28fe79a0006318cc4
-
Filesize
5.2MB
MD520ccf8dcbdbb64a175af76ce2c29aec8
SHA11b78f05a53b45f003748698c81f6016cea25ba3b
SHA256d03f0f06a9988d95e77b904bc2dd85670d8de6d000f43ac2f4d579ec47f54db5
SHA512185a5a9ac5d2d256a9d469709ff0dc8a96174368d9feb35e8ebe05533d4c2454943eb71b8538984816d1a8e6c948b8cc1f8d30362eb02502e8d9c498fb94333e
-
Filesize
5.2MB
MD502ee8eaa2499211d87c4fda7220561f4
SHA1787b09a2a136dfbf39be3404355eafa7bb46e8ef
SHA256596d089685b92787e39a2e2deccc293e40d23b3531abe8898e8c4d50b97db6f7
SHA5127d102dcf78fd9e073d02b3018a5e7bf61356876e07e7a63442a88e2afb15b466d628545bff49a040f4d4b6a94db8081737fc1db1bc5828dc8f565b6b60b100b9
-
Filesize
5.2MB
MD59cdd7f376ad33a2a317af7415c9f14f7
SHA12e68ae76623efe82fa2649723dccd4e0c2853840
SHA256c53c122384336736e889552341b3d2c71c90546e2d3e408ebfd7835ab65425d0
SHA512579765dc056764341beb57fc75ee1fa83ded37b8908049e02bc0860561142c6f6b197f02eed4cb18b2bb78008afe52c00a3620a3c108e3f4147c5485061f3b1c
-
Filesize
5.2MB
MD57637e585df42e05f803d7c325b99a74d
SHA1ae7555d9e779e75d6f139ee14491e8766151dda2
SHA2563424bbc52454895430a296e026d69d6c1b9db4c139cbbc4f052daed31116d829
SHA512b9f95601730680396765301baf187bf0425c917d6707cfb8d54dea09615f05cd5a814cd357069ca8a1754e74133fb555836b3b41077924c41df77be2d93c883a
-
Filesize
5.2MB
MD5361d19ebfa58e553ada5b77299f8e4aa
SHA17dc5a1dcbdaec4baa98e6e775617f598f194a6dc
SHA256bced33ded90e32cc7992fcaefc6143129c92138e2eac99a0d3129527ce956cd1
SHA5120c39351d106046c0b07620a4b62ad4eef7d850e48e7fa725c2a78ce2cee4f48fcc80bbecbeff38cfe601592cd6179da5adea7ae24a25c5db139bc8f1299aa8d9
-
Filesize
5.2MB
MD5aad50f5f5a0cf50a0456a775f56bc1a0
SHA1215eae9e455b2128161e6b582ee61c2c1ba6dd13
SHA256b6fb99e1972eb4550b73d0156f1f3760399a60ab148baab838f4180becd21c75
SHA5128812d4e6c81fdb2a81abe255df43048debb78bdb208a7302174855fc680a6565738cb2b915ccba2d3b33b92f6c6a91a88e1818f5759480fac6fd1c8d6ea9ebec
-
Filesize
5.2MB
MD51489aa8a774f18946a5c10a19b922cfe
SHA176504be4ecc338f1ae685b100b5fdafa7d19ac75
SHA256aab30e32da7a2c26b01504410c70c915ce38938222595f96674104ec4baa4c86
SHA5127bed9b72b236f5543888eca3e5e99efbd0dd30d8be7bb770f0fdf2abcc7636df33de41a3be98d13d01615939cbeea54e83725082ea544a565fa22f60a31284e4
-
Filesize
5.2MB
MD5ab69ff42fbb5f88dbb4a411ebd7f49df
SHA11d94cf36f4d19568c6519fec11ea23b7fa39e336
SHA256062eb8c505bcf1a098ad3be884e19bbe0ab922960e90a03a384c68003d27a8a7
SHA512a6862d586985f66fc5d4bc1f98d3e3a1f9ea77d0c7fff3bbb22501bd3dc53097af920de5207833be28434ff0f53e820bb3a80299939a6b26701f39890a7ead4c
-
Filesize
5.2MB
MD5eff32b361b81eca9c562d82545d7ddab
SHA1f59ef507e095b069a434c9b89d7bac544d960481
SHA256abcd460441b5e3ad56be45524a440239468e7746037f9afb359a32f6ef74f840
SHA512f177178730561adafba330ac5d95a77c431a6c6f77ec8dca15e932c870e6a94335536d6d3bb1c0f9f8f43ac5168d4aa27c176f85bcf02d2b118319bb632b877a
-
Filesize
5.2MB
MD5640eee1b01e1819a288731e04509c034
SHA148c9f57091f6ecc80dbc9b2dbaec1134c90fdcfc
SHA2562034927e33e72a757858cc64177ded349b603677ce5b3f73eff2ada7543767b6
SHA512fd3ef4f7c41bd24747e4b3214285518ebc2d72e17441ea5b9f45d9d4dfb96e0ab3410ec56607ad918f7fcf3db60c3a27c24ae03d9c90797dbc92907662d17a66
-
Filesize
5.2MB
MD5d8d3b0e2ff017d2395c6f28677bce614
SHA194b36ce9e78352eb3e6dec6ec757481fd2493551
SHA256083649ed1b0e53cb17e340ed9d21a6ef9748c0f922f3ced99237c3cce9ba86ed
SHA512f9028da4a2976e953a37d9c1250ca8c4e109eea428118655d6f91b72fc4ecfb7aaf7aac9019cbe18f92182ccebce7a37452ae6438823290ce17076a7a9bed836
-
Filesize
5.2MB
MD5885b8f8f5aeeee15af15294ba112d684
SHA17fc6935b5059e5fc6b43a277be880c9a3d9d61a9
SHA256e4187c1d9dc702b770ecdf4c93e237cdafe52c852bb6f6e9160c1e75493f45b6
SHA51296fd39c93813d9a5283766ce14a9c33b60f8a236ee6b7d14434e1896413263b461352198911d1ba09f5795dce35150ed497ed4acb47d4cc2801fc27cd463571c
-
Filesize
5.2MB
MD59ba8f42f48c81e4c0a0ead8659d9f466
SHA1cb36d707b12eef000506bc1da8eb787ddd07c5f1
SHA256218a1e63a2965155c694206f591ae16d797221ac96346ea4b089c583fa477429
SHA512beb3629785d806e9d887982370cff0e2eb2f18088a029d678607d93fe1cd9aee47039aab506fff1928d77e06f747d7d7460a8fbfa119bad056be8767879d953b
-
Filesize
5.2MB
MD58ecb5a9905030da2cce9679315118d09
SHA1ee8f37d65e1a697e22975bf78293e799e785fdbc
SHA256efba3f48db88aca2dd334f723541a88baa4bd0f62e525766f6ed33ae7b802290
SHA512179a4462b144d145fad98f01b9ac162e34cfe762b58880cea2818ac9d01f0a096656f4729f8a51e481e2e4a9e0d742b8356c003ff39af57c2b3fbd2923767745
-
Filesize
5.2MB
MD53cb50921a7ef4122c123f616f1b39aa9
SHA1c98734c6d0459df4db4db41aac4a4557224b375e
SHA256fd815343424931793e15c3d6ab0ced70d7abd14c571443b580b0d8b1d5d0649c
SHA51207be1471ae1c1b3efe4a08a9c464a8527cf6c820570750d53cf6f7e7a3347e3bcf2b75a05aa06534ebc847901b1b2d5511fd632db314c11d55b5b4966d40836c
-
Filesize
5.2MB
MD5893b567bbc5b42a50cc79ef45cb228f3
SHA1cb6db005ea5d190f32734d11341863e63c91e2e5
SHA2563b21bb387ae78d1f4fd40e2fafe7d451828dfc2692fce63edd19dadc9145054c
SHA512842f5e88a0539014736656ade9844b6405ddce68b20866e62a643c1bdce95477991b588b78c7fa9b97ad65a98442951de71c6dbe834ebf3139db2f59d8cc04cd
-
Filesize
5.2MB
MD53b77a5b8cc8e71f37e4223dc7fee4173
SHA1d69c4ed183b89f8dfc4f955a37715851695c172c
SHA256aa9a03920057d1d6f17f389d1ae8b00f050c619f57e1a3537e6ba6fde2a3aaec
SHA5122882153983b3fabc139eb18f885b6b52da94fa2a29ba279712d2411a6ab32a7c796a6211aa2c5b38241d1d1675b7ead0ad36fa5748c1661504eb221501632d98